b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n      THE SOCIAL SECURITY\n       ADMINISTRATION\xe2\x80\x99S\n     INCIDENT RESPONSE AND\n       REPORTING SYSTEM\n\n\n   August 2007   A-14-07-17070\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:      August 3, 2007                                                          Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Incident Response and Reporting System\n           (A-14-07-17070)\n\n\n           OBJECTIVE\n\n           The objective of our review was to determine if the Social Security Administration (SSA)\n           has an effective system for detecting, reporting, and responding to security incidents, in\n           accordance with Federal regulations and established standards and guidelines.\n\n           BACKGROUND\n\n           Computer security-related threats have not only become numerous, diverse, and rapidly\n           evolving but also more damaging and disruptive. Incident response capabilities are\n           necessary for rapidly detecting incidents, minimizing loss and destruction, and restoring\n           computing services. Incident response and reporting guidelines and procedures should\n           have consistent, effective, and efficient actions, which are particularly important for\n           incidents that may lead to prosecution. Also, handling evidence in a forensically sound\n           manner puts decision makers in a position where they can confidently take the\n           necessary actions. 1\n\n           For an organization, an effective incident response capability is a complex undertaking\n           and requires substantial planning and resources which should include:\n\n               \xe2\x80\xa2   continuous monitoring for threats through intrusion detection systems;\n               \xe2\x80\xa2   establishing clear procedures to assess the business impact of incidents;\n               \xe2\x80\xa2   implementing effective methods to collect, analyze and report data; and\n               \xe2\x80\xa2   developing relationships with appropriate internal and external groups.\n\n\n\n\n           1\n            National Institute of Standards and Technology Special Publication (SP) 800-86, Guide to Integrating\n           Forensic Techniques into Incident Response, August 2006.\n\x0cPage 2 - The Commissioner\n\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires Federal\nagencies to develop, document, and implement an information security program that\n                                                                                      2\nincludes procedures for detecting, reporting, and responding to security incidents. In\nJuly 2006, the Office of Management and Budget (OMB) released updated guidance 3\non the reporting of security incidents involving Personally Identifiable Information (PII) 4\nto the United States Computer Emergency Readiness Team (US-CERT). Agencies are\nnow required to report all incidents involving PII to US-CERT within 1 hour of\ndiscovering the incident. In September 2006, OMB issued a memorandum 5 that\ncontained the Identity Theft Task Force recommendations on the approach a\ndepartment or agency should take in responding to a theft, loss, or unauthorized\nacquisition of personal information (i.e., incident) that poses a risk of subsequent\nidentity theft.\n\nSSA maintains some of the largest databases of any civilian Federal agency. These\ndatabases contain PII such as names, addresses, Social Security numbers (SSN),\ndates of birth, and mothers\xe2\x80\x99 maiden names. SSA\xe2\x80\x99s Office of Systems (OS) is\nresponsible for maintaining these databases. Within OS, the Office of\nTelecommunications and Systems Operations (OTSO) is responsible for controlling and\nprotecting the databases. To meet the requirements of FISMA, SSA developed several\nmethods to detect, remediate, report, and track security incidents. SSA established a\nteam within OS to handle security incidents on a daily basis. SSA also has a contractor\nthat operates an automated intrusion detection system. SSA routinely monitors firewall\nactivity to detect any incidents. Additionally, there is a help desk for employees to\ncontact in the event of information technology problems including potential security\nincidents. Potential security incidents are tracked in SSA\xe2\x80\x99s Change Asset Problem\nReporting System (CAPRS).\n\nRESULTS OF REVIEW\n\nSSA has established a framework for its incident response and reporting system.\nThere are various components within SSA that work together to protect the Agency\xe2\x80\x99s\npersonal information and effectively remediate incidents when they occur. While the\nAgency works diligently to protect itself against the latest security related incidents, the\nfollowing areas need improvement:\n\n2\n    Public Law (PL) 107-347, Title III, sections 301-303, 16 Stat. 2899, 2946-2959 (2002).\n\n3\n  OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006.\n4\n PII is any information about an individual maintained by an agency, including, but not limited to,\neducation, financial transactions, medical history, and criminal or employment history and information\nwhich can be used to distinguish or trace an individual's identity, such as their name, Social Security\nnumber, date and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other\npersonal information which is linked or linkable to an individual.\n5\n OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notifications,\nSeptember 20, 2006.\n\x0cPage 3 - The Commissioner\n\n\n    \xe2\x80\xa2   SSA needs to appropriately address all security incidents, and\n    \xe2\x80\xa2   SSA needs to ensure that the Office of the Inspector General (OIG) is\n        appropriately included in the incident response process.\n\nSSA NEEDS TO APPROPRIATELY ADDRESS ALL SECURITY INCIDENTS\n\nWe determined that SSA did not identify and report all appropriate incidents to the\nOffice of the Chief Information Officer (OCIO), US-CERT, and OIG. SSA needs to\nreport all appropriate security incidents to US-CERT and law enforcement as required\nby FISMA. US-CERT coordinates defense against and responses to cyber attacks\nacross the Nation.\n\nThere are two types of security incidents: (1) computer security-related, and (2) PII.\nFor the computer security-related incidents, US-CERT has published seven computer\nsecurity incident and event categories for Federal agencies, in accordance with\n                                                                                    6\nNational Institute of Standards and Technology (NIST) Special Publication 800-61.\nThe incident and event categories along with their respective reporting timeframes are\nreflected in Tables 1 and 2 which follow.\n\n                                         Table 1\n                            Federal Agency Incident Categories\n           Category                    Name                       Reporting Timeframe\n                                                               Not Applicable \xe2\x80\x93 for Agency's\n          Category 0     Exercise/Network Defense Testing\n                                                                       internal use.\n                                                                     Within 1 hour of\n          Category 1           Unauthorized Access\n                                                                   discovery/detection.\n                                                                     Within 2 hours of\n          Category 2             Denial of Service\n                                                                   discovery/detection.\n                                                                           Daily\n                                                                     Within 1 hour of\n          Category 3              Malicious Code\n                                                             discovery/detection if widespread\n                                                                      across agency.\n          Category 4              Improper Usage                          Weekly\n\n\n                                          Table 2\n                              Federal Agency Event Categories\n          Category                 Name                          Reporting Timeframe\n        Category 5     Scans/Probes/Attempted Access                     Monthly\n                                                              Not Applicable \xe2\x80\x93 for Agency's\n        Category 6     Investigation\n                                                                      internal use.\n\n\n\n\n6\n NIST SP 800-61, Computer Security Incident Handling Guide, Section 2.1, January 2004; http://www.us-\ncert.gov/federal/reportingRequirements.html.\n\x0cPage 4 - The Commissioner\n\n\nComputer Security-Related Incidents\n\nFrom October 1, 2005 through January 26, 2007, SSA did not report any computer\nsecurity-related incidents to US-CERT. We reviewed all potential computer security-\nrelated incidents in CAPRS for that time period and found 75 cases that should have\nbeen reported. Specifically, we identified 39 \xe2\x80\x9cCategory 3 \xe2\x80\x93 Malicious Code\xe2\x80\x9d incidents,\n23 \xe2\x80\x9cCategory 4 \xe2\x80\x93 Improper Usage\xe2\x80\x9d incidents, and 9 \xe2\x80\x9cCategory 5 \xe2\x80\x93\nScans/Probes/Attempted Access\xe2\x80\x9d events that should have been reported to US-CERT.\nWe identified an additional 4 \xe2\x80\x9cCategory 5 \xe2\x80\x93 Scans/Probes/Attempted Access\xe2\x80\x9d events\nwhich were not included in SSA\xe2\x80\x99s CAPRS database, for a total of 75 incidents and\nevents that should have been reported to US-CERT. For example, one incident not\nreported concerned a workstation that had a virus that could not be remediated through\nthe normal channels of running anti-virus software. The workstation had to be re-\nimaged. Another example included hacking attempts where SSA sends a letter to the\nsource\xe2\x80\x99s Internet Service Provider informing them of the illegal activity.\n\nSSA reported that during 2004, it developed and US-CERT approved an approach that\nlimited reporting to only incidents that could not be prevented, or if successful, caused\nundue harm. SSA could not provide documentation regarding this agreement with US-\nCERT. We contacted US-CERT personnel and they noted that it is not their practice to\nmake these types of agreements with Federal agencies. Applying its own approach,\nSSA accordingly reported zero incidents. OS is responsible for identifying and\nevaluating potential incidents and informing the OCIO. However, we believe the\nAgency did not meet the intent of US-CERT\xe2\x80\x99s guidance 7 when it refrained from\nreporting instances where the activities were successfully mitigated and did not impact\nSSA services, internally or externally. Therefore, SSA needs to properly categorize and\nreport computer-related security incidents in accordance with NIST and US-CERT.\nSSA plans to meet with US-CERT to discuss the Agency\xe2\x80\x99s incident categorization and\nreporting practices so it is consistent with Federal regulations and guidelines.\n\nPersonally Identifiable Information Incidents\n\nFor the PII incidents, we identified a total of 1,106 potential incidents in CAPRS from\nAugust 9, 2006 through January 26, 2007. During our review of the potential PII\nincidents, we found 147 incidents involving more than 1 record (see Table 3) that were\nsimilar to other incidents SSA reported to US-CERT. US-CERT collects this information\nto identify trends and ensure Agencies take corrective measures if incidents recur and\nweaknesses continue to exist.\n\nSSA reported 8 of the 147 incidents. For example, one of the eight incidents reported\ninvolved the theft of a laptop and case folders that were not recovered. We have listed\nsome examples from the 139 unreported incidents that were similar to the 8 incidents\nreported.\n\n\n\n7\n    NIST SP 800-61, Computer Security Incident Handling Guide, Section 2.1, January 2004.\n\x0cPage 5 - The Commissioner\n\n\n      \xe2\x80\xa2   A workstation was stolen from a field office that was burglarized. SSA never\n          received the workstation back.\n      \xe2\x80\xa2   A box was lost during shipment from a Disability Determination Services (DDS)\n          office to a Program Service Center. The box contained eight disability folders\n          that were not recovered.\n      \xe2\x80\xa2   A DDS employee e-mailed 55 claimants\xe2\x80\x99 SSNs, name, and case numbers to a\n          \xe2\x80\x9cHotmail\xe2\x80\x9d e-mail account.\n\n                                             Table 3\n                        PII Incidents Involving More Than One Record\n\n                                      Incidents Reported by             Unreported\n           PII Categories                                                            Total Incidents\n                                               SSA                       Incidents\nMore than one record was\ndisclosed and the records were                  0                          53              53\nreturned or retrieved\nMore than one record was\ndisclosed and the records were                  8                          86              94\nnot returned or retrieved\nTOTAL                                           8                          139            147\n\nThe Agency advised us that a risk-based approach was used to determine what was\nreported to the former Commissioner 8 and to US-CERT. The former Commissioner\nmade the final decision on what was reported to US-CERT.\n\nIn addition to the 147 incidents involving multiple records identified above, we\ndiscovered 959 incidents that involved only 1 claimant\xe2\x80\x99s record. SSA reported only one\nincident (see Table 4) involving one record to US-CERT. This incident involved an SSA\ndocument that was given to an unauthorized individual and returned. We have listed\nbelow some examples that are similar to the one incident reported.\n\n      \xe2\x80\xa2   A detailed earnings query was accidentally mailed out to a wrong individual.\n      \xe2\x80\xa2   A DDS employee sent disability information to the wrong claimant.\n      \xe2\x80\xa2   A request for medical information was inadvertently sent to the wrong doctor.\n\n\n\n\n8\n    Jo Anne B. Barnhart, Commissioner of Social Security 2001 \xe2\x80\x93 2007.\n\x0cPage 6 - The Commissioner\n\n\n                                                Table 4\n                                 PII Incidents Involving One Record\n\n                                     Incidents Reported by    Unreported\n         PII Categories                                                      Total Incidents\n                                              SSA              Incidents\nOne record was disclosed and\nthe record was returned or                    1                  684              685\nretrieved.\nOne record was disclosed and\nthe record was not returned or                0                  274              274\nretrieved.\nTOTAL                                         1                  958              959\n\nSSA needs to develop a formal policy for reporting PII incidents to US-CERT and\nensure its compliance. The Agency is revising the policy for reporting PII to reflect\ndecisions of SSA\xe2\x80\x99s Commissioner. The Agency estimates that more of the PII incidents\nrecorded in CAPRS will be reported to US-CERT when the new policy is fully\nimplemented.\n\nFor the PII incidents returned to the Agency, SSA did not record the amount of time the\nPII was out of the Agency\xe2\x80\x99s possession. SSA should also track the length of time PII is\nout of its control.\n\nThe incidents and events listed above that were not reported to OCIO, US-CERT or law\nenforcement were the result of the following weaknesses in SSA\xe2\x80\x99s incident reporting\npolicies and procedures.\n\n    \xe2\x80\xa2   SSA lacks written procedures for detecting and reporting security incidents.\n    \xe2\x80\xa2   SSA\xe2\x80\x99s policy definition for a security incident is compliant with NIST and US-\n        CERT; but the definition was not consistently implemented throughout the\n        Agency.\n    \xe2\x80\xa2   SSA\xe2\x80\x99s roles and responsibilities for incident reporting do not comply with FISMA.\n\nSSA Lacks Written Procedures for Detecting and Reporting Security Incidents\n\nSSA did not adequately report all security incidents to US-CERT because SSA does not\nhave adequate written procedures for detecting and reporting security incidents.\nAccording to FISMA, Federal agencies should have procedures to detect, report, and\nrespond to security incidents. During our audit, we found the Agency lacked\nprocedures to review information provided by US-CERT for detecting security incidents.\nFor example, US-CERT provides Federal agencies with data regarding suspicious\nInternet protocol addresses and key logging incidents for agencies to incorporate into\ntheir response programs. SSA did not always review or use this data to avoid or detect\nsecurity incidents. As a result of the lack of regular reviews, security information\navailable from US-CERT in September 2006 was not addressed until brought to SSA\xe2\x80\x99s\nattention in February 2007. At the end of the audit, SSA provided us procedures for\nreviewing and responding to security events from US-CERT.\n\x0cPage 7 - The Commissioner\n\n\nWe also found the Agency lacked formal written procedures for reporting security\nincidents to US-CERT but the Agency plans to develop them in accordance with NIST.\nOCIO plans to have this developed by the fourth quarter of Calendar Year 2007. Once\nSSA has finalized its revised incident security policy, then procedures can be written to\naddress the specific functions.\n\nSSA\xe2\x80\x99s Policy Definition for a Security Incident is Compliant with NIST and US-\nCERT; but the Definition Was Not Consistently Implemented throughout the\nAgency\n\nSSA\xe2\x80\x99s implementation of its applied definition of a security incident was inconsistent\nwith formal Federal guidance. According to SSA, an approach was developed with US-\nCERT approval, which limited reporting to only incidents that could not be prevented, or\nif successful caused undue harm. SSA\xe2\x80\x99s Information Systems Security Handbook\n(ISSH) is the official security policy for the Agency. Although the ISSH definition of a\nsecurity incident concurred with the NIST and US-CERT definition, the actual practices\nfollowed by the Agency were not documented in the ISSH, leaving misconceptions over\nwhat should be reported to US-CERT. However, as noted above, no documentation\nsupporting an agreement with US-CERT was provided and US-CERT states it does not\nmake agreements with individual agencies.\n\nPrior to July 2006, the ISSH definition included \xe2\x80\x9c\xe2\x80\xa6suspected viruses, threats to\npersons, attempted systems intrusions, unauthorized release of Privacy Act information,\ntheft of government or personal property, or any other suspicious situation.\xe2\x80\x9d 9 In July\n2006, the ISSH was updated to define a security incident as follows:\n\n            An event in a computer system, or the threat of such an event, that\n            would cause an adverse impact on the system. Examples of security\n            incidents include malicious code (virus, worm, or Trojan horse), e-\n            mail bombardment (spamming), an unauthorized change in system\n            configuration or discovery of an unknown \xe2\x80\x9chidden file\xe2\x80\x9d, repeated\n            attempts to access SSA\xe2\x80\x99s systems (hacking), or a stranger\xe2\x80\x99s attempt\n            to learn PINs and passwords under false pretexts (social\n            engineering). 10\n\nOTSO is the component responsible for monitoring SSA\xe2\x80\x99s firewall, logging security\nevents that need to be researched, identifying security incidents, and reporting incidents\n\n\n\n\n9\n Information Systems Security Handbook (ISSH), Chapter 16, Security Incident Identification, Reporting\nand Resolution, page 3, May 2001.\n10\n     ISSH, Chapter 7, July 15, 2006.\n\x0cPage 8 - The Commissioner\n\n\nto the OCIO. The definition of a security incident SSA applied did not include\n\xe2\x80\x9cattempts\xe2\x80\x9d or \xe2\x80\x9cthreats,\xe2\x80\x9d as follows: \xe2\x80\x9cA computer incident is an adverse event, which\n                                                               11\ncompromises some aspect of computer or network security.\xe2\x80\x9d\n\nNIST defines an incident as \xe2\x80\x9c\xe2\x80\xa6a violation or imminent threat of violation of computer\nsecurity policies, acceptable use policies, or standard security practices.\xe2\x80\x9d 12 While\nSSA\xe2\x80\x99s published definition of a security incident was similar to the US-CERT definition\nand included spamming, the definition was not being fully followed by OS.\nConsequently, OS only reported incidents involving PII to the OCIO and did not\nconsider threats or attempted intrusions as security incidents. In addition, SSA needs\nto revise its definition of a security incident to concur with NIST.\n\nSSA\xe2\x80\x99s Roles and Responsibilities for Incident Reporting Do Not Comply with\nFISMA\n\nSSA did not fully implement the roles and responsibilities for reporting security incidents\nin accordance with FISMA. FISMA requires Federal agencies to develop, document,\n                                                                 13\nand implement an agency-wide information security program. FISMA designates the\nresponsibility for developing and maintaining the agencywide information security\nprogram to the agencies\xe2\x80\x99 Chief Information Officers (CIO). 14 This security program\nmust include an incident response capability. This capability includes procedures for\n                                                              15\ndetecting, reporting, and responding to security incidents. FISMA also grants NIST\n                                                                              16\nthe responsibility to develop security standards, guidelines, and procedures. NIST\nstates the incident response capability should include: \xe2\x80\x9c\xe2\x80\xa6organizational structure and\ndelineation of roles, responsibilities, and levels of authority.\xe2\x80\xa6\xe2\x80\x9d 17\n\nSSA has established a Security Response Team (SRT) to respond when significant\nincidents arise. As described in the Agency\xe2\x80\x99s ISSH, one of the roles of the SRT is to\nrespond to incidents involving computer systems, Internet and Intranet servers, and\nLocal Area Network (LAN) Servers, including malicious code (virus, worm, or Trojan\nhorse) and e-mail bombardment (spamming), and alerts all end users to current threats\n\n\n\n11\n   An Overview of the Computer Incident Response Process at the Social Security Administration, Office\nof Systems, Office of Telecommunications and Systems Operations, Division of Telecommunications\nSecurity and Standards, April 28, 2005.\n12\n     NIST SP 800-61, Computer Security Incident Handling Guide, Section 2.1, January 2004.\n13\n     44 United States Code (USC) \xc2\xa7 3544.\n14\n     44 USC \xc2\xa7 3544(3)(B).\n15\n     44 USC \xc2\xa7 3544(a)(3)(B).\n16\n     15 USC \xc2\xa7 278g-3.\n17\n     NIST SP 800-61, Computer Security Incident Handling Guide, Section 2.3.1, January 2004.\n\x0cPage 9 - The Commissioner\n\n\nto the system. Additionally, the ISSH states the SRT \xe2\x80\x9c\xe2\x80\xa6consists of security staff,\nsystems personnel, and representatives of the Office of the Inspector General.\xe2\x80\x9d 18\n\nSRT has not convened over the past several years when significant incidents have\noccurred. Part of the reason for this inactivity seems to be that the criteria for invoking\nthe SRT has not been clearly defined and documented. Additionally, the components\nand their representatives serving on the SRT have not been clearly identified.\nWe believe it is critical that the ISSH identify the components that are represented on\nthe SRT. In this era of rapidly changing personnel, it is essential that the SRT be as\nclearly defined as possible to ensure effective continuity and performance of the\nincident response and reporting process.\n\nSSA also did not comply with FISMA with regard to responsibility for notification of\nincidents. The ISSH states that the Deputy Commissioner for Systems (DCS) is\n\xe2\x80\x9c\xe2\x80\xa6responsible for preparing and sending reports to the US-CERT on security\n            19\nincidents.\xe2\x80\x9d According to FISMA, a Federal agency\xe2\x80\x99s CIO should notify and consult\nwith US-CERT. 20 According to SSA, although DCS sends the monthly incident reports\nto the OCIO, DCS also sent the monthly incident reports directly to US-CERT through\nApril 2006. SSA did not send any monthly reports to US-CERT from May through\nNovember 2006. Then, after internal Agency discussions on SSA\xe2\x80\x99s FISMA\nrequirements, the OCIO began reporting the monthly incidents to US-CERT. Because\nof this lack of a formalized process, the type and number of incidents reported to US-\nCERT was inconsistent. SSA\xe2\x80\x99s security policy needs to be updated to reflect the\ncurrent process for reporting incidents in accordance with FISMA. The OCIO plans to\nrevise the Agency\xe2\x80\x99s security policy for reporting incidents.\n\nSSA NEEDS TO ENSURE THAT THE OIG IS INCLUDED IN THE INCIDENT\nRESPONSE PROCESS WHEN APPROPRIATE\n\nSince September 11, 2001, Inspectors General have worked with agencies to afford\ngreater protection over the Nation\xe2\x80\x99s critical assets. Identity theft has increasingly\nbecome a more prevalent and destructive crime. As the holder of one of the largest\ndatabases of PII, SSA can be a prime target for terrorists and criminals who wish to\nharm our Nation and its citizens. SSA\xe2\x80\x99s Inspector General has the tools and is in the\nposition to help SSA secure information and prevent harm.\n\nTo mitigate the risk of identity theft, OMB issued a memorandum 21 recommending that\nall Federal agencies establish \xe2\x80\x9c\xe2\x80\xa6a core response group that can be convened in the\nevent of a breach.\xe2\x80\x9d The memorandum also recommended that, in the event of a\n\n18\n     ISSH, Chapter 7, Appendix B, Roles and Responsibilities.\n19\n     ISSH, Section 7.4, Appendix B.\n20\n     44 USC \xc2\xa7 3544(b)(7)(C)(iii).\n21\n  OMB Memorandum Recommendations for Identity Theft Related Breach Notification,\nSeptember 20, 2006.\n\x0cPage 10 - The Commissioner\n\n\nbreach, the core response group conduct a risk analysis to determine whether the\nincident poses problems related to identity theft and, if the risk of identity theft is\npresent, that the agency tailors its response accordingly.\n\nThe memorandum states:\n\n         \xe2\x80\xa6a core group should include, at a minimum, an agency\xe2\x80\x99s chief\n         information officer, chief legal officer, chief privacy officer (or their\n         designees), a senior management official from the agency, and the\n         agency\xe2\x80\x99s inspector general (or equivalent or designee). Such a\n         group should ensure that the agency has brought together many of\n         the basic competencies needed to respond, including expertise in\n         information technology, legal authorities, the Privacy Act, and law\n         enforcement.\n\nIn terms of safeguarding PII, SSA stated it is in the process of reviewing and revising\nthe PII policies and procedures developed under the direction of the former\nCommissioner to reflect the direction of SSA\xe2\x80\x99s current Commissioner. Part of the\nrevised process will be to put in place an agencywide governance model, which will\ninclude an executive level steering committee as well as other standing and ad hoc\nworkgroups and teams which will oversee the development and implementation of the\nAgency\xe2\x80\x99s policies for safeguarding PII. For example, the Agency will use a cross\ncomponent workgroup to develop PII notice and remediation issues including\nestablishing a \xe2\x80\x9ccore group\xe2\x80\x9d as recommended in OMB\xe2\x80\x99s memorandum 22 concerning data\nbreach notification. However, as of June 1, 2007, SSA has not included the OIG in the\ncore response group as recommended by OMB.\n\nSSA did not consistently notify OIG\xe2\x80\x99s Office of Investigations when security incidents\noccurred so that OIG could have assisted in the preservation of electronic evidence and\npotentially pursue the matter for further investigation, if necessary. We identified at\nleast six incidents and events that should have been referred to the OIG for\ninvestigation\xe2\x80\x94two PII incidents and four security-related events. For example, one\nincident involved an employee having unauthorized password cracking software running\non an external hard drive connected to his workstation. Another example involved an\nemployee who misappropriated approximately 40 case folders for her personal use.\nThe four security-related events involved hacking attempts when SSA sent abuse\nletters to Internet Service Providers (ISP). When the ISPs did not respond, SSA should\nhave referred these cases to OIG so that an appropriate investigation would have been\nperformed and appropriate action taken.\n\n\n\n\n22\n  OMB Memorandum Recommendations for Identity Theft Related Breach Notification,\nSeptember 20, 2006.\n\x0cPage 11 - The Commissioner\n\n\nFISMA requires Federal agencies, as part of their security program, to have procedures\nfor notifying and consulting with law enforcement agencies, including the OIG, when\n                 23\nincidents occur. Additionally, NIST guidance recommends that law enforcement be\ncontacted \xe2\x80\x9c\xe2\x80\xa6through designated individuals in a manner consistent with the\nrequirements of the law and the organization\xe2\x80\x99s procedures.\xe2\x80\x9d 24\n\nCONCLUSION AND RECOMMENDATIONS\nWe found SSA has taken steps to detect, report, and respond to security incidents.\nThe Agency has established a framework for its incident response and reporting\nsystem, and components within SSA work diligently to protect the Agency\xe2\x80\x99s personal\ninformation and effectively remediate incidents when they occur. However, we have\nidentified areas that need improvement, such as in SSA\xe2\x80\x99s core response group,\nconsistency in the Agency\xe2\x80\x99s incident reporting policy and practices, the classification\nand reporting of incidents, and in the stipulations of the SRT. Therefore, we\nrecommend SSA:\n\n1. Ensure the definition of a security incident consistent with NIST is known and used\n   throughout the Agency.\n\n2. Align policy, procedures and practices for reporting PII incidents including the\n   Agency\xe2\x80\x99s escalation policy to US-CERT.\n\n3. Fully develop and implement formal written procedures consistent with the Agency\xe2\x80\x99s\n   policy and practice for reporting Computer-Related Security incidents to US-\n   CERT.\n\n4. Properly categorize and report computer-related security incidents in accordance\n   with the NIST and US-CERT criteria.\n\n5. Finalize and implement formal written procedures for reviewing and responding to\n   security events from US-CERT.\n\n6. Fully implement the SRT identified in the Agency\xe2\x80\x99s incident response policy. This\n   includes adequately identifying all members of the SRT and defining criteria for\n   when the SRT should be invoked.\n\n7. Include the OIG in the core response group recommended by the September 20,\n   2006 OMB Memorandum.\n\n8. Ensure that OIG is notified of all actual or potential security incidents when they\n   occur, so OIG can determine whether further criminal investigation is required.\n\n\n23\n     44 USC \xc2\xa7 3544(b)(7)(C)(i).\n24\n     NIST SP 800-61, Computer Security Incident Handling Guide, Section 2.3.2.2, January 2004.\n\x0cPage 12 - The Commissioner\n\n\nAGENCY COMMENTS\nSSA agreed with all our recommendations. See Appendix C for the full text of SSA\xe2\x80\x99s\ncomments.\n\n\n\n\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                           Appendix A\n\nAcronyms\nCAPRS     Change, Asset, and Problem Reporting System\nCIO       Chief Information Officer\nDCS       Deputy Commissioner for Systems\nDDS       Disability Determination Services\nFISMA     Federal Information Security Management Act of 2002\nISSH      Information Systems Security Handbook\nISP       Internet Service Providers\nNIST      National Institute of Standards and Technology\nOCIO      Office of the Chief Information Officer\nOIG       Office of the Inspector General\nOMB       Office of Management and Budget\nOS        Office of Systems\nOTSO      Office of Telecommunications and Systems Operations\nPII       Personally Identifiable Information\nSSA       Social Security Administration\nSP        Special Publication\nSRT       Security Response Team\nU.S.C.    United States Code\nUS-CERT   United States Computer Emergency Readiness Team\n\x0c                                                                                           Appendix B\n\nScope and Methodology\nOur objective was to determine if the Social Security Administration (SSA) has an\neffective system for detecting, reporting, and responding to security incidents in\naccordance with Federal regulations and established standards and guidelines.\n\nTo meet our objective, we examined SSA policies, procedures and practices used by\nthe Agency in their detection and reporting of attacks against its networks. Specifically,\nwe examined:\n\n      \xe2\x80\xa2    SSA\xe2\x80\x99s policy for the Agency\xe2\x80\x99s incident response and reporting system, in the\n           November 15, 2006, June 15, 2006, and the May 2001 version of the Information\n           Systems Security Handbook;\n      \xe2\x80\xa2    Incident response procedures in An Overview of the Computer Incident\n           Response Process at the Social Security Administration, Office of Systems (OS),\n           Office of Telecommunications and Systems Operations, Division of\n           Telecommunications Security and Standards, April 28, 2005;\n      \xe2\x80\xa2    Monthly Computer Incident Reports from October 2005 through November 2006;\n           and\n      \xe2\x80\xa2    Incidents documented in the Change Asset Problem Reporting System\n                                                                                    1\n           according to the Federal Agency Incident Categories (see following table) and\n           recorded incidents when Internet Service Providers were contacted.\n\n\n\n\n1\n    US-CERT Federal Incident Reporting Guidelines, http://www.us-cert.gov/federal/reportingrequirements.html.\n\n\n                                                         B-1\n\x0c                                 Federal Agency Incident Categories\nCategory         Name                              Description                        Reporting Timeframe\n              Exercise/        This category is used during state, federal,\n                                                                                   Not Applicable; this category\nCategory      Network          national, international exercises and approved\n                                                                                   is for each agency's internal\n0             Defense          activity testing of internal/external network\n                                                                                   use during exercises.\n              Testing          defenses or responses.\n                               In this category an individual gains logical or\nCategory      Unauthorized     physical access without permission to a             Within 1 hour of\n1             Access           federal agency network, system, application,        discovery/detection.\n                               data, or other resource\n                               An attack that successfully prevents or impairs     Within 2 hours of\n                               the normal authorized functionality of              discovery/detection if the\nCategory      Denial of        networks, systems or applications by                successful attack is still\n2             Service          exhausting resources. This activity includes        ongoing and the agency is\n                               being the victim or participating in the Denial     unable to successfully\n                               of Service.                                         mitigate activity.\n                               Successful installation of malicious software\n                               (e.g., virus, worm, Trojan horse, or other\n                                                                                   Daily\n                               code-based malicious entity) that infects an\nCategory      Malicious                                                            Note: Within 1 hour of\n                               operating system or application. Agencies are\n3             Code                                                                 discovery/detection if\n                               NOT required to report malicious logic that\n                                                                                   widespread across agency.\n                               has been successfully quarantined by\n                               antivirus software.\nCategory      Improper         A person violates acceptable computing use\n                                                                                   Weekly\n4             Usage            policies.\n\n                                  Federal Agency Event Categories\nCategory           Name                           Description                         Reporting Timeframe\n                                 This category includes any activity that\n                                 seeks to access or identify a federal agency      Monthly\n               Scans/Probes/\nCategory                         computer, open ports, protocols, service, or      Note: If system is classified,\n               Attempted\n5                                any combination for later exploit. This           report within 1 hour of\n               Access\n                                 activity does not directly result in a            discovery.\n                                 compromise or denial of service.\n                                                                                   Not Applicable; this category\n                                 Unconfirmed incidents that are potentially        is for each agency's use to\nCategory\n               Investigation     malicious or anomalous activity deemed by         categorize a potential incident\n6\n                                 the reporting entity to warrant further review.   that is currently being\n                                                                                   investigated.\n\nWe also reviewed the:\n\n      \xe2\x80\xa2   Federal Information Security Management Act of 2002 (FISMA); 2\n      \xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication (SP)\n          800-61, Computer Security Incident Handling Guide, January 2004;\n      \xe2\x80\xa2   NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident\n          Response, August 2006;\n\n\n\n2\n    PL 107-347, Title III, 16 Stat. 2899, 2946-2961 (2002).\n\n\n                                                       B-2\n\x0c   \xe2\x80\xa2   Office of Management and Budget (OMB) Memorandum M-06-19, Reporting\n       Incidents Involving Personally Identifiable Information and Incorporating the Cost\n       for Security in Agency Information Technology Investments, July 12, 2006;\n   \xe2\x80\xa2   OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information,\n       May 22, 2006;\n   \xe2\x80\xa2   OMB Memorandum M-06-20, Fiscal Year 2006 Reporting Instructions for the\n       Federal Information Security Act and Agency Privacy Management, July 17,\n       2006;\n   \xe2\x80\xa2   OMB Memorandum Recommendations for Identity Theft Related Breach\n       Notification, September 20, 2006;\n   \xe2\x80\xa2   OMB Memorandum M-07-16, Safeguarding Against and Responding to the\n       Breach of Personally Identifiable Information, May 22, 2007; and\n   \xe2\x80\xa2   The First Responder\xe2\x80\x99s Guide to Computer Forensics, Carnegie Mellon Software\n       Engineering Institute, March 2005.\n\nWe interviewed representatives from International Business Machines Corporation,\nUnited States Computer Emergency Readiness Team, and the following SSA\ncomponents:\n\n   \xe2\x80\xa2   OS is responsible for technical aspects of implementation and maintenance\n       related to SSA\xe2\x80\x99s incident reporting process; and\n   \xe2\x80\xa2   Office of the Chief Information Officer (OCIO) directs and manages SSA's\n       enterprise information technology security program. This includes establishing\n       Agency-wide security policies, managing the reporting, and monitoring processes\n       to ensure compliance.\n\nWe performed our field work in SSA Headquarters from September 2006 through April\n2007. We determined that the data used in this report was sufficiently reliable to meet\nour audit objectives and intended use of the data. We determined that our use of this\ndata should not lead to an incorrect or unintentional message. The audited entities\nwere OCIO and OS. We conducted our review in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\n                                           B-3\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\n\nDate:      July 19, 2007                                                         Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Incident Response and Reporting System\xe2\x80\x9d (A-14-07-17070)--INFORMATION\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report content\n           and recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S INCIDENT RESPONSE\nAND REPORTING SYSTEM\xe2\x80\x9d(A-14-07-17070)\n\nThank you for the opportunity to review and comment on the draft report. We appreciate your\nconducting this audit of the Social Security Administration\xe2\x80\x99s (SSA) Response and Reporting\nSystem. We recognize the importance of ensuring that the Agency has an effective system for\ndetecting, reporting, and responding to security related incidents, in accordance with Federal\nregulations and established standards and guidelines.\n\nThe report captures the essence of the 2004 agreement between SSA and the United States\nComputer Emergency Readiness Team (US-CERT) officials that limited SSA\xe2\x80\x99s reporting to only\nincidents that could not be prevented, or if were successful, caused undue harm. It is unfortunate\nthat upon SSA OIG\xe2\x80\x99s inquiry to US-CERT officials, they would not confirm the agreement.\nHowever, we stand behind the veracity of the agreement.\n\nRecommendation 1\n\nSSA should ensure the definition of a security incident consistent with the National Institute of\nStandards and Technology (NIST) is known and used throughout the Agency.\n\nComment\n\nWe agree. SSA policy and other directives are inclusive of the definition for a security incident\ndefined by NIST and will be communicated throughout the Agency.\n\nRecommendation 2\n\nSSA should align policy, procedures and practices for reporting personally identifiable\ninformation (PII) incidents including the Agency\xe2\x80\x99s escalation policy to the US-CERT.\n\nComment\n\nWe agree. The Agency will work to ensure practices and procedures for reporting and escalation\nof PII incidents align.\n\nRecommendation 3\n\nSSA should fully develop and implement formal written procedures consistent with the Agency\xe2\x80\x99s\npolicy and practice for reporting Computer-Related Security incidents to US-CERT.\n\n\n\n\n                                                C-2\n\x0cComment\n\nWe agree. We will develop and implement formal written procedures consistent with Agency\npolicy for reporting computer related security incidents to US-CERT. SSA will report computer\nrelated security incidents in accordance with SSA policy, standards and procedures.\n\nRecommendation 4\n\nSSA should properly categorize and report computer-related security incidents in accordance\nwith the NIST and US-CERT criteria.\n\nComment\n\nWe agree. We have updated the Change, Asset, and Problem Reporting System queue to use the\nUS-CERT categories for security incidents.\n\nRecommendation 5\n\nSSA should finalize and implement formal written procedures for reviewing and responding to\nsecurity events from US-CERT.\n\nComment\n\nWe agree. We have updated the procedures to reflect all incidents reported from US-CERT, not\njust keyloggers.\n\nRecommendation 6\n\nSSA should fully implement the Security Response Team (SRT) identified in the Agency\xe2\x80\x99s\nincident response policy. This includes adequately identifying all members of the SRT and\ndefining criteria for when the SRT should be invoked.\n\nComment\n\nWe agree. We will review and update the Agency's incident response policy to include\nidentification of SRT members by position and re-defining criteria for activation.\n\nRecommendation 7\n\nSSA should include the OIG in the core response group recommended by the September 20,\n2006 Office of Management and Budget Memorandum (OMB).\n\n\n\n\n                                              C-3\n\x0cComment\n\nWe agree. Upon completion and implementation of policy for Notification and Remediation, the\nOIG will be included in the core response group.\n\nRecommendation 8\n\nSSA should ensure that OIG is notified of all actual or potential security incidents when they\noccur, so OIG can determine whether further criminal investigation is required.\n\nComment\n\nWe agree. The OIG Criminal Investigations Unit will be notified of all actual or potential\nsecurity incidents when they occur.\n\n\n\n\n[In addition to the comments above, SSA provided technical comments which have\nbeen addressed in this report.]\n\n\n\n\n                                               C-4\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technical Audit Division, (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Network Security and Telecommunications Branch,\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Mary Ellen Moyer, Senior Program Analyst\n   Anita McMillan, Senior Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-07-17070.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"